NotLockBit ransomware targets Apple users with advanced file-locking and data exfiltration

News
By published

macOS.NotLockBit has no link with the infamous LockBit ransomware

Lock on Laptop Screen
(Image credit: Shutterstock.com) (Image credit: Future)
  • macOS faces an emerging ransomware threat, NotLockBit
  • NotLockBit malware demonstrates file-locking capabilities
  • Apple's built-in protections face issues from evolving ransomware threats

For years, ransomware attacks have predominantly targeted Windows and Linux platforms, however cybercriminals have begun to shift their focus toward macOS users, experts have claimed.

The recent discovery of macOS.NotLockBit suggests a shift in the landscape, as this newly identified malware, named after the notorious LockBit variant, could mark the beginning of more serious ransomware campaigns against Mac users.

Discovered by researchers at Trend Micro and later analyzed by SentinelLabs, macOS.NotLockBit shows credible file-locking and data exfiltration capabilities, posing a potential risk to macOS users.

macOS.NotLockBit threat

Ransomware targeting Mac devices tends to lack the necessary tools to truly lock files or exfiltrate data. The general perception has been that macOS is better protected against these kinds of threats, partially due to Apple's built-in security features, such as Transparency, Consent, and Control (TCC) protections. However, the emergence of macOS.NotLockBit signals that hackers are actively developing more sophisticated methods for targeting Apple devices.

macOS.NotLockBit functions similarly to other ransomware, but it specifically targets macOS systems. The malware only runs on Intel-based Macs or Apple silicon Macs with Rosetta emulation software installed, which allows it to execute x86_64 binaries on newer Apple processors.

Upon execution, the ransomware collects system information, including the product name, version, and architecture. It also gathers data on how long the system has been running since its last reboot. Before locking the user’s files, macOS.NotLockBit attempts to exfiltrate data to a remote server using Amazon Web Services (AWS) S3 storage. The malware employs a public key for asymmetric encryption, meaning decryption without the attacker’s private key is nearly impossible.

The malware drops a README.txt file in directories containing encrypted files. The encrypted files are marked with an “.abcd” extension, and the README instructs victims on how to recover their files, typically by paying a ransom. Additionally, in later versions of the malware, macOS.NotLockBit displays a LockBit 2.0-themed desktop wallpaper, co-opting the branding of the LockBit ransomware group.

Thankfully, Apple’s TCC protections remain a hard nut for macOS.NotLockBit to crack. These safeguards require user consent before granting access to sensitive directories or allowing control over processes like System Events. While this creates a hurdle for the ransomware’s full functionality, bypassing TCC protection is not insurmountable, and security experts expect that future iterations of the malware may develop ways to circumvent these alerts.

Researchers from SentinelLabs and Trend Micro have not yet identified a specific distribution method, and there are no known victims at present. However, the rapid evolution of the malware demonstrated by the increasing size and sophistication of each new sample indicates that the attackers are actively working on improving its capabilities.

SentinelLabs identified multiple versions of the malware, suggesting that macOS.NotLockBit is still in active development. Early samples appeared lighter in functionality, focusing solely on encryption. Later versions added data exfiltration capabilities and began employing AWS S3 cloud storage to exfiltrate stolen files. The attackers hardcoded AWS credentials into the malware to create new repositories for storing victim data, though these accounts have since been deactivated.

In one of its most recent versions, macOS.NotLockBit requires macOS Sonoma, indicating that the malware developers are targeting some the latest macOS versions. It also showed attempts at obfuscating code, suggesting that the attackers are testing various techniques to evade detection by antivirus software.

You might also like

Efosa Udinmwen
Efosa Udinmwen
Freelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com

Read more
A person in a wheelchair working at a computer.
Why betting on Mac security could put your organization at risk
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
This devious macOS malware is evading capture by using Apple's own encryption
Ransomware
Fortinet firewall bugs are being targeted by LockBit ransomware hackers
Ransomware
Microsoft spies a new and worrying macOS malware strain
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
More reports claim 2024 was the worst year for ransomware attacks yet
Latest in Pro
Branch office chairs next to a TechRadar-branded badge that reads Big Savings.
This office chair deal wins the Amazon Spring Sale for me and it's so good I don't expect it to last
Saily eSIM by Nord Security
"Much more than just an eSIM service" - I spoke to the CEO of Saily about the future of travel and its impact on secure eSIM technology
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
FlexiSpot office furniture next to a TechRadar-branded badge that reads Big Savings.
Upgrade your home office for under $500 in the Amazon Spring Sale: My top picks and biggest savings
Beelink EQi 12 mini PC
I’ve never seen a PC with an Intel Core i3 CPU, 24GB RAM, 500GB SSD and two Gb LAN ports sell for so cheap
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Latest in News
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
More about pro
Page shows the getting started page on the Notability app.

I enjoyed testing this satisfying note-taking app, but its collaboration skills were weak
Asus NUC 15 Pro+

Asus unveils its most powerful mini PC to date — but I don't think the Intel-powered NUC 15 Pro+ will compete with Strix Halo models
Student with headphones around her neck using a phone while sitting in a cafe in front of a laptop

One of the richest men in the world castigates the billions of dollars spent on buying laptops for US classrooms with no apparent improvements
See more latest
Most Popular
Student with headphones around her neck using a phone while sitting in a cafe in front of a laptop
One of the richest men in the world castigates the billions of dollars spent on buying laptops for US classrooms with no apparent improvements
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
Tesla Model Y 2025
Tesla’s EU sales are in freefall as VW races ahead, but the Model Y could change all that
Asus NUC 15 Pro+
Asus unveils its most powerful mini PC to date — but I don't think the Intel-powered NUC 15 Pro+ will compete with Strix Halo models
HDD
Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora